{"id":"MGASA-2016-0012","summary":"Updated apache-commons-collections packages fix security vulnerability","details":"It was found that the Apache commons-collections library permitted code\nexecution when deserializing objects involving a specially constructed\nchain of classes. A remote attacker could use this flaw to execute\narbitrary code with the permissions of the application using the\ncommons-collections library (CVE-2015-7501).\n\nWith this update, deserialization of certain classes in the\ncommons-collections library is no longer allowed. Applications that\nrequire those classes to be deserialized can use the system property\n\"org.apache.commons.collections.enableUnsafeSerialization\" to re-enable\ntheir deserialization.\n","modified":"2026-04-16T06:25:41.750230841Z","published":"2016-01-14T01:44:39Z","upstream":["CVE-2015-7501"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2016-0012.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=17227"},{"type":"WEB","url":"https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread"},{"type":"WEB","url":"https://rhn.redhat.com/errata/RHSA-2015-2522.html"}],"affected":[{"package":{"name":"apache-commons-collections","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/apache-commons-collections?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.2.1-24.1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2016-0012.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}